BLUETOOTH wireless technology is a de facto standard, as well as a specification for small-form factor, low-cost, short-range radio links between mobile PCs, mobile phones and other portable devices. When two BLUETOOTH devices are about to communicate with each other a connection must be set up. One device, the initial master, must set up the connection using a specific BLUETOOTH device address of the other device.
The BLUETOOTH base-band supports link level authentication. When authentication is enabled a PIN (Personal Identification Number) code must be entered on both devices wanting to communicate before a connection (link) can be established. The same PIN code is entered on both devices. The PIN code is only valid between the two devices active at the moment. A device can use different PIN codes for different devices it wants to communicate with. Once authentication has been performed the devices may choose to save a link key so that the PIN code does not have to be entered each time a connection is set up.
The BLUETOOTH base-band supports encryption. To enable encryption a PIN code must be entered on both devices wanting to communicate (same process as for authentication). The PIN code is used to create the key for the encryption.
If a device has authentication turned off, any device can connect to this device given that its BLUETOOTH device address is known. It is possible to “snoop” the BLUETOOTH device address by listening to its communication with other devices.
A BLUETOOTH device normally keeps the following information stored:                BLUETOOTH device address (48-bit unique number identifying the device).        Other BLUETOOTH device specific information (e.g. name, class of device, clock offset, page scan mode).        PIN code to be used when connecting to this device.        The services it supports (e.g. LAN access profile, Serial port profile, etc.        Proprietary information. Information that is specific to a certain vendor.        
The information in the list above is from now on called the Device Identifier Block, the DIB for short. All or part of the information in the DIB is needed to be able to quickly and securely establish a BLUETOOTH link with a remote device.
Usually the BLUETOOTH device address is found by doing an INQUIRY. The INQUIRY procedure is a search procedure; it will return all the BLUETOOTH device addresses of all devices that are in the vicinity. For a device to respond to an INQUIRY it has to be in INQUIRY_SCAN mode. This makes it visible to all devices performing INQUIRY. When an INQUIRY has been made the user usually is prompted with a list of devices to choose from. Once a device has been chosen, its BLUETOOTH device address can be saved for future connections.
An INQUIRY procedure usually takes 10 seconds. If the names of the remote devices are desired (usually the case when users are requested to select from a list) a name request for each BLUETOOTH device address must be performed. This procedure will take 2.57 seconds in average for each device. Traditionally, in BLUETOOTH, most of the information contained in the DIB, is transferred from one device to another using the INQUIRY procedure.
Not all devices have user interface to enable the user to select the appropriate device after an INQUIRY (a search), which may cause problems where several devices are present. In some scenarios, e.g. for security reasons, a device cannot be in INQUIRY_SCAN since it might not be suitable for it to be visible to other devices performing INQUIRY. It should be noted that a BLUETOOTH device in INQUIRY_SCAN mode will respond to INQUIRY from all devices.
In scenarios where a device often changes the device it communicates with the INQUIRY procedure is to long to be suitable every time a change is to be performed. In other scenarios where none of the devices communicating have user interface to enter a PIN code authentication and encryption cannot be used.
In scenarios where it is absolutely critical that you are communicating with the correct device the search and select procedure using INQUIRY and name request is not secure enough.